FortiWeb - SQLi Test

I’ve already written a lot about Web Application Firewall (WAF). I think these appliances are useful for securing web applications in layer 7 from sophisticated attacks such as XXE attacks or CSRF attacks. In fact, I’ve already deployed, installed and configured several WAF appliances such as F5 BIG-IP ASM and AWS WAF. However, I had never deployed, installed and configured the Fortinet FortiWeb WAF appliance till last week.

Fortinet FortiWeb is a Web Application Firewall which has many more web security features than Fortinet FortiGate to block Web Application Attacks. For instance, FortiWeb can be configured with Machine Learning to protect web applications from known and unknown exploits. Therefore, FortiWeb defends applications from known vulnerabilities and from zero-day threats. I think, FortiWeb is easy to manage and configure like any other Fortinet family appliance. In addition, Fortinet Security Fabric can also interoperate with FortiWeb.

There are lots of network topologies to deploy a WAF. On the one hand, we should always deploy a WAF after the Network Firewall, so that WAF is between the firewall and web servers. WAF and IPS are not the same. Most network firewall have an IPS which is useful to block layer 3 attacks such as IP Spoofing Attacks or DoS Attacks. However, WAF is useful to block layer 7 attacks. Therefore, we should block layer 3 attacks before layer 7 attacks.

FortiGate + FortiWeb

On the other hand, we should deploy a WAF before the load balancer, so that WAF is between the load balancer and the clients. There are two main reasons for this deployment. Firstly, we don’t have to balance WAF devices thus we’ll balance real servers. Secondly, HTTP requests will correctly appear to originate from the real client’s IP address, not (due to SNAT) your load balancer.

FortiWeb + FortiADC

 

These are two recommendations for planning the network topology. However, we have to take into account another one. We should know the router mode and the one-arm mode. The router mode is the topology where real servers gateway is the WAF, therefore, there is no SNAT but we need a new network to deploy the WAF between real servers and the network firewall. The one-arm mode is easier to deploy because we don’t need a new network but SNAT configuration is required, therefore, the X-Forwarder-For (XFF) header have to be enabled to know the client’s IP addresses.

One-arm mode topology

 

FortiWeb is easy to configure and manage. If we want to configure a basic security policy to defend a web application, we’ll have to configure a server pool, a virtual server and a server policy. Firstly, the server pool is the real servers which are going to be defended. Secondly, the virtual server is the WAF IP address which is going to listen HTTP/S requests. Finally, the server policy is the security configuration to defend the server pool in the virtual server IP address. For instance, we can watch a basic security configuration in the next video to defend a web application from a SQLi attack.

“select * from users where LAST_NAME = ‘” + userName + “’”;

“select * from users where LAST_NAME = ‘Lim’ OR ‘1’=’1’”;

Regards my friends. Have a nice day!